[strongSwan] Routing problem (source address change)
rudolfl at rumatech.com
Wed Aug 8 06:12:53 CEST 2012
I have server and road warrior.
Here are configs (stripped down to only show essential bits):
Basically, road warrior owns an IP address of 10.4.0.104 and wants to
access network 10.5.5.0/24 via IPSec.
IPSec establishes OK.
>From road warrior, I can not ping the host 10.5.5.72, unless I use
ping 10.5.5.72 -I 10.4.0.104
OK, I added a rule to do source NAT in updown script:
ip ro add $PLUTO_PEER_CLIENT via 18.104.22.168 src $PLUTO_MY_CLIENT_NET
(I used bogus IP 22.214.171.124 to force packet routing).
That idea worked and, after establishing IPSec, I can access
Now, for the real problem. Road warrior uses 3G modem to connect to
the Internet. So, IPSec is established via ppp0 interface. The rule I
added binds itself to ppp0 interface. I tried to specify a different
device, but this command fails, unless ppp0 is in use.
ip ro add $PLUTO_PEER_CLIENT via 126.96.36.199 dev <DEV NAME> src
$PLUTO_MY_CLIENT_NET and, unless I use ppp0 as DEV NAME. (Error is:
RTNETLINK answers: No such process).
Consider situation. I run ping to 10.5.5.72 when routing rule is installed.
If ppp connection breaks, it is re-established. IPSec is not restarted.
Ping obviously breaks, rule dissappears from routing list as expected.
Re-instantiate the rule and try ping again. Ping fails with error;
connect: Invalid argument
The only way to recover now is to re-start ipsec. after ipsec restart,
pings go through normally again.
So, questions are:
1. What is the best practice to get source NAT to work.
2. When I am in the situation as described, what is happening to the
routing and how can it be fixed?
More information about the Users